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Xn  osdax  tio  wacganA  COHSSK.  eigftigaeali 
CtaadttdlxeA  osagtt,  and 
lower  COK^e  coot*  MSA 

oeeabliAhod  tlte  Develepmeat  Caster 
for  Etdiedded  CQHSSC  Erodttet;a  (DCECP) . 
She  aaepae  of  tiie  DCBCP,  usder  a 
nre^rSD  entitled  Prajeet  OvartSter  Is 
»  veaadard  set  defialtiaB  of  COKSEC 
andnles  to  be  ttsod  la  fPbPddM 
acflleatljons  to  pseyide  ■  Che 
enezyptioa/deoryptiea  fmotreoal 

raqioixanants  in  link,  data#  and  voice 
OQKSCe  systems.  Tteae  modules  are 
called  Foreee#  lepaehe  and  Niaseox 
respeecivoljr* 

Cbxs  p^^es  describes  the  use  of  the 
stondozd  module  set  in  e  aenerle 
command  -Control  and  xatalliaenee 
Siystan  and  addresses  the  iasaea  of 
embedding  these  modules  £eem.  a  system 
integrator*  s  viewpoint  at  both  the 
system  and  unit  host  iMals. 

t 

2. 


2.2  Broleet  OHreagME.  Tbs  te^nloal 
and  managsrxsx  agproscbas  used  by 
Project  OQBBT&KE  eceonodaea  ths 
aeax-total  integnelen  of  computers 
and  cnmnnl  f?acions  In  eoncesAOxasy 
aystams  by  providing  endorsed 
ezyptograpbie  tedmelogy  in  a 
radically  different  femi. 
unelasali^ad  modules  built  to 
standaxdixed  .Intezfaoes  by  a  broad 
similar  base  and  designed  to  be 
amnadaad  witiiia,  as  opposed  to  added 
oator  products  and  ayscems. 

a  radical  change  ib  a  caebnology 
delivasy  madianism  inevitably 
involves  a  radical  change  an  the 
relationships  between,  the  various 
organizations  whiA  must  xnoocporata 
chat  technology  into  systams:  In 
this  paper  we  ^  describe  the  new 
fosn  of  one  suen  reladonship:  that 
betsicea  the  provider  of  crypcographie 
tecfanoieay  and  the  host  integrator. 
There  ore  two  significaat  areas  oz 
interest:  vnat  Project  OVEaxAKS 
dalivoZB  CO  the  Intogsator#  and  wnac 
the  zeaponsibilities  of  the 
integratoc  are. 


2.1  Historical  BaCIwfronnd. 
nlstozlcally#  endorsed  czypLographie 
tedwology  has  been  available  only 
from  MS2V#  genaxally  In  the  form  of 
linicad-fanetieB,  classified  pzednets 
with  a  strong  functional  bias  tAfsrd 
the  securing  of  passive  cOBBaaniea- 
tions  links.  This  sitaiatios# 
eombined  with  the  ever  closer-  into- 
gratloh  of  oenpucars  and 
comnoBleatioaB/  has  caused  many 
dif fieultiaa  ror  groups  actes^pclng  to 
ineezperate  cryptographic  teehnology 
into  host  systems.  pree-standing 
cryptographic  units  have  bean 
difficult  to  integrats,  teth 
physically  end-  foncrtnnaally#  into 
Booem  oonpatarlred  bests.  The 
dassifiad  nature  of  the  psodneta  has 
often  Imposed  phycieal  security 
eonotraists  whidh  .  are  iacoopatiblc 
with  opentionai'  needs.  The 
"cewnunioations-only*  bias  e£  the 
predttets  has  inhibited  csyptogcaphie 
solutions  to  eemputar  security 
^probloPBf  such  as  the  anthentieatien 
of  critical  hot  forgeable  uaer/- 
eempdeer  dialogues  and  the  secorlng 
of  elassifiad  information  on 
ramovtAlu  aadia.  piiwixyr  the 
available  methods  of  management 
were  often  ineensistcet  with  the 
volute#  ^agoeney#  and  nature  of 
oomptttarlzed  eomounicatieas. 


2.3  Wiat  the  Intearater  kaealvaa. 
The  intograTOr .  nay  obtain 
standezdized#  unclasslfiad  modules 
from  any  of  a  nsaber  of  suppliers# 
along  with  support  in  the  form  ox 
decnaeatatloB  and  consul tatiea.  The 
doeteiantation  consists  of  an 
Interface  Control  fieeuBiant  (£0)1  and 
as  E^edding  Maunal#  along  with  an 
informal  list  eZ  “De'e  and  pent* a.* 
The'  ZCD  defines  standard  axteznal 
interfaces  which  will  be  enforced  for 


all  a^iementatloas  of  Che  modulasi 
the  intagvater  con  eharefere  use  it 
to  define  "so^wts"  in  future  systems 
with  the  assuranea  that  teehncloey 
changes  in  the  meduloB  will  net  force 
systems  redesign.  Consultation  and 
technical  aasistonee  is  available 
both  fzom  PSh  and  tba  supplier 
selected  by  the  integrator.  Xn 
addition#  NSk  will  provide  an  evalua-- 
clen  of  the  host  system  which  will# 
if  sueeessful#  losd  to  an  endorsement 
or  that  system  as  authorized  to 
handle  classified  or  sehsitiva 
infesnation. 


2.4  What  the  Integrator  Most 

^  'eoStxuetnsl 
domain#  tnu  integraeew  mase  negotiate 
hameraada  of  understanding  and 


Xgreemeat  with  KSX.  These  remoeaeda 
spall  out  various  administrative 


rc^oBsibilities  of  the  integrator; 
pnnelpal  ae^ng  these  is  the  proper 


US/ £<?/»© 


h^dliag  ©f  and 

Crypt:d0£s;^hls  Ccnt^Ilcd  iaforaaum* 
XhB  prcrarxdc 

te^imical  asd  s«PP®^ , 

M  pmcBsso 

In  the  tsehMcal  tcmaiHr  the 

intagra-fcot:  Bisst  saeiafy  to*  ^paCiai 
nbysieol  «&£  fooetional  raffUsaM*^ 
of  aadorso©  ssijgfec^apliic  t»^aol«8r« 
Functions.!  sa^lrcBOBCs  arloe  at  tsm 
levslfii  syot£B  and  best,  ays***- 
level  soquiEsnaats  and  isanas  axa 
those  that  deal  with  the  aalactl^  of 
,niftd’iileT  and  thaiar  plaeomnt  an  s 
systeiB  architseoare,  •  Boat-lovel 
getrfl  T  ana  those  associated 

with  the  detailed  placBOOit  of  a 
in  a.  prodttctr  »«ch  0? 
os  maiotsaeor  snd  its  relationsov  to 
that  host. 

3  HtevnatMC  MODDlgS 


3.1  Phyaa-eal  itotele  ogoa^Meats. 
The  Botele  is  eaoe3*cr“ulthto  target 
host  aoplieaelon  e^aisaencs*  ana  ox. 
Itself,  supplies  coxy  «»« 
graphic  funetaoM.  ^ 

^o^ent  eontaiaang  the  podnle  Mrt 

coE^r  all  pewer  ooiire^  «>d 

xemlatloa,  TEMBBST  shiolduBV  ud 
filtering,  and  tanper  detection 
oansocs  to  sutpplSMnt  aod^  se^e 
operation.  wis  approach 
duplieatina  of  hazdi^n  la  bot^  the 
host -and  podnlo,  and  results  _ra  a 
■ere  generic  nodule  design  snxtable 


for  e^eddnent  in  a  large  .variety  of 
hosts,  the  host  nest  also  provide  a 
CSBSO^ll  fill  port  to  the  nodule  as  a 
naans  of  nannally  leading  key.  hs  an 
option,  the  host  nay  also  aopply  a 
crypto  ignition  interfaea  to  the 
nodole  ..  for .  nose-  eonvenient 
operational  startup.  _ 

m 

Modala  iategtimtioa  IS  lay  tBe 

Qse  6f  staAdardiacd  iAtfirtaycas. 
deflMA  InterfacaH  Biasi;  b%  LS^SL 
cogpatifclige 

3.1'  aysteat-»Levef  Actional 

■  '  rsjaaxA  3.2a 

desecih^  a  hypethetiesal  systen^level 
arebiteetoze  whl^  iaehs^ates  a 
repreaentaitive  set  of  hosts  and 
intes'4to6t  links.  Hosts  are  aeauned 
to  reside  in  disjoint  i^sieal 
seeucity  Bneae  coaneetcd  hy  incenra 
nedia.  The  vnlnecahilitles  la  such 
an  asehitacture  are  as  fOlloHS 
(aunber  in  paseBtfanses  are  keyed  to 
the  diagrams 

The  untCHSted  £kont««ad  preeessec  to 
the  TCBSted  C^puter  Base  eoold  be 
subverted,  pexnitting  a  variety  of 
speefing  attaeks  (11 .  Active  and 
passive  vaxetap  attames  could  be 
mounted  against  ‘  the  Local  Area 
itetiwrk  (lAKl  (21,  the  hlgl^sp^ 
link  (3) ,  and  the  lov^speed  link  (4) . 
p,>^4a  xestovad  fron  the  workstation 
csould  ho  forged  os  cui^pseoiised  vhlle 
in  an  inneenze  area  ($) . 


FIGURE  Ida 
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{Qien  it  is  net  practical  tc  cverecne 
aach  trulnerabllitijes  by  pb^ical 
scouri'^  Bca&e  by  hardrwing 

ctianonicatiens  lime  or  e^andlng  tbo 
physical  iMCtirity  Mrineter]  , 
the  atanderd  ezype^n^hie  nodules 
miy  ba  used.  Ibe  salectioa  o£  a 
particular  nodule  is  guides  by 
eousideratiOBB  of  dpocd  end 
funci^onelity  (e.g.#  provision  for 
bypass) .  ft  represcBtative  set  o£ 
eholees  is  gives  below  (keyed  to  the 
Banazals  is  rigare-S.Zb) : 


Sepecbs  nodules  are  embedded .  is  the 
TCS  and  the  user  eesainal  is  order  to 
authestieats  critical  TCB/user 
^toxchangas  (1)  -  A  Tepache  nedule 
is  the  workstation  ssd  the  same 
iBOdale  is  the  TCB  ere  used  to  encrypt 
LSR  traffic  (z) .  Two  Foresee  necules 
an  used  to  protect.  trsSfie  os  the 
High-speed  link  (J)  and  two  wisdstor 
Biodulcis  are'  used,  to  secure  the 
low-speed  link  (4).  k  second  Tepa^ 
nodule'  is.  the  woslcstatiOB  ie  used  to 
enezypt  'the  renovable  nedia  (51  • 


) 

If 


FiauRE12> 


TWO  Zepaehe  nodules  are  required  in 
the  uorlcBtatieat  since  there  axe  -two 
interfaces  to  ineecure  nedia .  A 
single  nodule  suffices  for  the  TCB 
because  there  is  only  ,  ose  sudh 

i»ter£&cCn  tbi^  tMzl 

ziatum  of  the  toodule  pemlw  Its  doaX 
UM  AS  a&d  enurypsor/fleexyptor  and  an 
authon.'tleatore  tetheatleatios  is 
used  instead  ef  onexyption  the 
nser/TCB  liak  bacau^  tha 
tranmiasioa  takas  place  entirely 
within  the  physical  security 
periMter;  cozffing,  not  efitf^xraisap 
la  tha  threats  K&ssasa  contents  vzst 
be  1a  the  clear  to^  pesnit  eXficient 
procassing’n 

Thi^  sescond  BAjos  systas^lavel  Issoa 
i&  that  o£  kw  aaaagcMntn  the 

Sill  ~d«V3iecMi)  and  imr  to  integrate 
key  baaagenent  with  the.  various 
eonnunleatloBs  and  Gtocaga  osdia 


protocols  in  ‘the  systen.  Prefect 
OVEkTAXB  will  provxde  techsical 
support  to  the  integrator  as  well  as 
]Bay  nsBagenoat  aodoiesi  one  such 
nodule  is  ShoHU  as  part  or  the  TCB  is 
Figure  '  3.2.  Encryption  of 
ihfOQBatieB  stored  on  fined  and* 
renovable  nedia'  nay  raise 
appixeatioBs-depesdent  issues r  such 
as  the  iapact  of  kay  chasges  upas 
archival  storage.  Integrators  should 
anticipate  that  resolutioa  ef  these 
and  otaer  Key  nansgenest  issuee  will 
requise  aeeess  to  claselfled 
iatOnatloh. 

A  final'  issue  is  that  of  inters 
opezaibility.  OiCSereat  ttOdttles  are 
latar-opocablc  with  difxerest 
existing  ezyptographxe  products  such 
as  the  Xfi-'84r  xy-S7,  and  xor~a/.llt 

ChMMmntBd  dnteacw 
opozahiil^  imqalEaBcsits  nay  dofidnate 
the  selection  oritAffinn 
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3*3  Host  Xicwel  gunetelopal 

b«rttixM>«a'b»»  aiM.s  soction 
will  disousB  the  seqaixementa  iinpoaed 
opoa  the  nodule  iBtefratcr  at  the 
host  dooBln  level. 

3.3.1  Bed/Bla^  Heparatioa.  The  • 
nodule  iaterfsee  is  geneSrie '  in 
struetuee  and  thus  supporcs  noltlple 
inserts  witdiin  a  tosgat  host.  Fes 
seeuax  aeration  the  nodule  nnat  be 
positioned  on  'the  logical  bannAay 
hatween  red  and  blaw  psoeeSsisg. 
niA  integrator  can  sasora  this  ^ 
placing  tho  nodule  directly  ''inline* 
with  the  red  to  hiacx;.  data  ^lev  from. 
the  host.  The  Integsation.  Bust 

enforce  the  nodule  "cwnersbip”  of  the 
path  in  such  a  way  that  no.  logical 
eenprenises  can  be  nade.  For 
exanple/  sae  the  Tapaehe  nodule 
(Figure  3.3.1a) .  A  proper 
pesitieaing  for  '  its  placsncnt  is 
between  the  host  end  the  outgoing 
cranunicatiens  circuits-  This 
ensures  that  the  traffic  os  the  Z/o 
side  o£  the  nodule  is  blacK  and  on 
Che  best  side  is  red.  If  there  are 
mltiple  outgoing  deta  paths  fron  the 
host,  then  it  is  the  integrator's 
responsibility  to  identify  those 
paths  and  to  ensure  that  nodules  ace 
used  in  all  instances. 


I 
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In  contrast  to  this,  censidac  the 
Installacioa  shoun  in  Flgnce  3.3.1h. 
The  integrator  has.  ^wsen  a  nodnle 


naufau-m  MriMumsooiuRiieaiiair 
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placenant  not  inline  with  a  teminal 
rad  to  blade  baundaxy.  Clearly  an 
*OUen  port*  or  sneak  path  exists 
'wncre  red  data  can  be  out^ttad. 

3.3.2  nayatja  Fomatf  3*tn^ 

aelomatUgg.  kn  the  elassie 

Systen  .anviroinaae  ‘  e£  oxyp&olegy, 
nost  systens  ppeeatlng.  in  a  aysten 
high  state  (saeurai  dn  not  graeesully 
degrade  to  a  eiaar  state  without  a 
break  or  totaJ.  disnntiea  of  the 
cooRmications.  This  burden  nay  be 
acceptable  for  point  to  point 
ecananleatlen  ayotm  bat  boeeae* 
Intolerable  ixSc.  padeet^switehed 
aystans  or  UUVS  where  mltipoiat 
ceaneetions  ace  eeanoa.  tte  nodules 
(la  particular  the  i^aehe)  need  to 
support  Bultipoint  networks.  To 
si^poct  this  a  basic  packet  fOznat 
roc  the  aodole  is  proposed  (see 
Plgnre  3.3.2a).  The  whole  paeket  can 
be  envisioned  as  enesypted  nut  in  the 
noce  general  ease  only  tite  body  is 
encrypted,,  while  the  header  and 
tmilsr  rwBiain  unencrypted.  There  Is 
good  reason  For  th^.  IB  Post 
day  ttnltipoint  networks  the  trailer 
data  supports  eccec  detection  and 
eozzeetioB.  ■co  allow  encryption  to 
work  in  these  ssstesaa  (in  a 
transparent  way  at  the  date  link 
level)  an  unenesypeed  trailer  is  a 
neoes3itgr>  Zhe  sane  argunnnt  can  be 
applied  toward  Che  use  of  an 
unencrypted  haaoer.  The  header  is 
used  fay  nost  systens  to  identify 
message  Qpe,  souxea  and  dostinatlon. 
For  a  BDce  rigosotts  application 
where  traffic  fixer  aealysie  .can  lead 
to  sane  focn  of  conpromise  then  use 
of  uneacrypted  neadees  is  dangerous. 
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KDan  ttaanerypted  besttera  or  tv»il«ra 
actt  uaed  la  an  a^^iieatiea,  otbar 
coasidexariaas  vast,  be  cakaa  iabe 
aceoimt.  Tbe  eoasidersvtleas  axe 
Illustrated  ia  two  eases,  both  Of 
which  are  pseseated  fsoa  the  ‘aspeet 
a£  deerjfption '  (tbe  sane  sat&oaale  eaa 
be  applied  £roa  the  viewpoint  of 
eaeryptlon  as  well) . 

20£  all.  eases  the  aodnie  Is  aasuDed 
to  be  placed  along'  a  tezsiiaal  sod/' 
black  bouadaxy  la  the  host.  Fox  case 
one.  oa  tbe  blaok  side  It  Is  assOMd 
that  there  Is  so  'saarb*  eivpaxe  for 
nessage  disassesibly  Ci.o. ,  lAleh  past 
of  -Uie  nesssge  should  go  thsou^  a 
deeryptloB  process  and  which  should 
act) .  la  this  case  (eoe  figure 
S.3.2b)  the  entire  oessage  packet  has 
to  bo  passed  thsougfa  the  siodnla  to 
the  host  withcot  pxoeessiag.  Qaee 
zecalwBd  by  the  host,  the  ncssage  can 
then  bo  dlsassenbled  ia'to '  its 
eaezypted  and  uneaezypted  parts.  Che 
eaosypted  pasts  are  then  fed  hack 
‘through  tho  nodule  fxcm  tho  host .  side 
for  decryption  and  tbea  asseahled 
into  a  fully  deerppted  nossoge. 

An  advantage  to  this  approaA  is  that 
tho  Z/0  uead  ia  suob  a  host  can  be 
tairiy  unsophisticated  (i.o. .  UhBT  or 
parallel  port) .  A  distinct 
disadvantage  vi^  this  pzoeess  is 
addltioaai  tine  delay  Ineczzed 
through  a  second  pass  of  data  to  ‘the 
nodule. 


In  'the  Pozesee  aed  waadstor,  bypass 
ia  an  extonal  fnnetlon  (not  serviced 
by  tbe  nodules). 


xe  is  uie  responsibility  of  the 
ijB'tAgrater  to  edaerel  all  ^pass 
fuBstaons  so  as  not  to 
eanso  ncjer  Inseeurl'cleB  eo  a  system 
using  yoresee  or  Windster,  and  to 
preveat  alam  lookup  ei'taation  in  tbs 
Tapache. 

3.3.4  Cxvp'cog.reBhle  Ma^g.  Each 
nodule  type  airports  several  crypto¬ 
graphic  modes.  Sheae  modes  allow  ter 
UM  of  oxyptology  under  a  mabex  of 
diffezenc  syston  situa'tions  and 
provide  baeln^d  compatibility  to  a 
number  of  aacintlng  crypto  equipoants. 

Xt  is  pcinazlly  a  host  responsibility 
to  enforce  propee  use  of  mediiie 
cryptographic  modos .  9h*  ny wtum 
designer  must  identify  that  subset  of 
ngdes  applicable  to  the  syptiem  and 
then  pass  this  Infemation  on  to  the 
hose  integrators  for  proper  mode  use 
at  host  level. 

Che  exact  place. where  ezypto  syne  Is 
detaeted  varies  anoug  the  widule 
tj^s.  xa  modules  lUoe  Foresee  and 
Vindator,  the  loss  of  syno  is 
detected  within  the  pssdule.  In  ‘the 
cepaebe  the  loss  of  ssne  must  be 
detected  by  the  host,  in  all  cases 
once  a  loss  of  syne  ha«  oeeurred,  it 
is  a  host  action  to  eesxeot. 


Xa  cane  two  (see  Figure  3.3.Zc).  tito 
assqe^ition  Is  that  the  I/O  is 
sopMstieated  encogh  so  that 
additional  fonetians  of  assaably  and 
diaasseably  con  be.  is^osed  upon  it 
(thereby  offloading  the  host) .  Che 
x/0 .  buffers  the  Black  sttssage  and 
disasseafaleB  it  lu'te  encrypted  and 
uneneiypted  pares,  xt  then  transfers 
the  uneenceypted  past  tbzeugb  the 
aodnie  to  the  host)  the  enexypeed 
part  is  also  passed  tbsou^,  but 
decanted  *on  the  dy.*  Che  end 
result  on  the  host  side  Is  that  only 
ueenesypted  a»asage&  are  seen.  Cbls 
example  is  typical  of  the  approach 
reqaized  for  iaR's  where  a 
eetplicatcd  X/o  is  the  norm. 


3.3,3  Bypass.  Sneryptien  is  a 
ayngnetrie  process  to  the  deozyptieu. 
with  the  exception  th^t  onenesypted 
portions  (i-e.,  header*  ‘tcnlles)  anist 
over  the  xed/blatik  boundary. 


pi*  the  Capaehc  module,  bypass  is  an 
iii'ternal  £u&ctiioti  i  audited 

TO  prevent  afeusne 
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Psojoet  OVEKTABE  offers  significant 
benefits  to  the  host  systems 
integrator.  Che  enltifecction, 
^mai^eally  zeeonflguzable  nature  of 
the  modules  permits  the  ineoepozstion 
of  endorsed  cxypeogzaphy  in  a  wide 
range  of  functional  environments  ■ 
Che  unelasfiified  nature  of  the  aedule 
psxnits  the  use  of  endorsed  crypto¬ 
graphy  in  previously  ferisldden 
phraical  eavizeBBents,  aa  well  as 
redneing  tbe  iategza.tez'8  costs  and 
sdhadttle.  Module  cost  is  further 
reduced  and, .  evuilabllity  enhanced  by 
the  broad  supplier  base. -  Inter” 
operability  permits  antereonreetien 
with,  and  the  orderly  upgrade  of, 
^sterns  which  use  current  crypto- 
graphic  products.  Above  all.  ‘the 
enfoeeemant  of  standard  interfaces  to 
the  nodules  will  facilitate  long-tan 
tedtnicai'planning,  seduce  ceiBnnieal 
ri^,  end  permit  qratems  to  easily 
wABlqalKvnl  iaramvunsntn 
in  technology. 
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